#3530 PAM authentication fails if 'root' has no passw

1.490
closed-fixed
5
2009-11-04
2009-11-04
Anonymous
No

I have removed the root password from my machines using 'passwd -d root' so that it's only possible to authenticate as root using SSH keypairs or as a sudoer.

This causes the code in miniserv.pl to fail when trying to detect whether PAM is enabled. The pam_conv callback is never triggered when pam_authenticate() is called. This is the test that miniserv uses to check to see if PAM is working.

I needed to change line 104 of miniserv.pl from

if (ref($pamh = new Authen::PAM($config{'pam'}, "root",

to

if (ref($pamh = new Authen::PAM($config{'pam'}, "webmin",

(after adding a 'webmin' user with a password to my machine)

Perhaps the user that miniserv tests pam_authenticate for should be a config param in miniserv.conf?

Discussion

  • Jamie Cameron

    Jamie Cameron - 2009-11-04

    Thanks, I didn't consider the case where root's password would be disabled.

    In Webmin 1.500, you will be able to specify a different test user by editing /etc/webmin/miniserv.conf and adding the line :

    pam_test_user=webmin

    then running /etc/webmin/restart

     
  • Jamie Cameron

    Jamie Cameron - 2009-11-04
    • status: open --> closed
     
  • Jamie Cameron

    Jamie Cameron - 2009-11-04
    • status: closed --> closed-fixed
     
  • David Esposito

    David Esposito - 2009-11-05

    Actually, this is also a problem in validate_unix_user()

    If a user doesn't have a password, the pam_authenticate() returns PAM_SUCCESS() ... which means that the user can log in using any password they wish

     
  • Jamie Cameron

    Jamie Cameron - 2009-11-05

    Isn't that expected? If a user has no password set, you can SSH in without needing to enter any password..

    In the original case, root's password was locked.

     

Log in to post a comment.